We know that there's a lot of techno-babble on these security web sites with "public-key encryption" this and "secure sockets" that. We've attempted to sort all that out on this page so that even our mothers can understand this secure stuff.

Let's start out with the question...

Should I really be concerned about Internet privacy?

You bet. The connection between you and any other point on the Internet can be routed through dozens of independent systems, any of which can easily be monitored. You should consider non-encrypted e-mail, web browsing, chatting, and any other Internet use about as private as yelling to someone across a crowded room.

What does SSL mean to me, the average Internet user?

When you come across a web page that is secured, your browser will likely display a 'closed lock' or other symbol to inform you that SSL has been enabled. The web site address should also now start with "https://" rather than the usual "http://".

In a nutshell, SSL allows a secure connection between your web browser and a web server. This secure information 'tunnel' was developed by Netscape Communications and was based on encryption algorithms developed by RSA Security. SSL is being widely adopted by numerous companies for other client/server uses other than web surfing.

Client? Server? Browser? Huh?

If some of these terms are already starting to look foreign, try a website like Webopedia, which has definitions for most everything here. Click this link to open a small Webopedia companion window.

What do the letters SSL stand for again?

So who uses SSL today?

Most all web-based online purchases and monetary transactions are now secured by SSL. When you submit your credit card to purchase a compact disk from CDNOW, for example, the order form information is sent through this secure tunnel so that only the folks at CDNOW can view it.

You may also be familiar with online banking. Financial institutions use SSL to secure the transmission of your PIN number and other confidential account data.

Can anyone set up a secure web server?

As a consumer, you need to be aware that an SSL connection does not ensure the integrity of the organization you are sending your credit card information to. If you suspect a commercial web site of misuse of your personal information or believe the site's operators are engaged in illegal activities, your best course of action is to contact law enforcement officials in your area, or the Better Business Bureau Online at www.bbbonline.com.

Also note that SSL only protects the link between the browser and server, but does not protect that data once it is collected by the server. There have been numerous, widely publicized instances where a web server's data storage was compromised and large amounts of credit card and other personal data was stolen. Many web sites now post information security and privacy policies to inform customers of the organization's data handling procedures.

There are many web server/client products that support SSL connections. To set up shop on the web, all one would need is access to one of these servers, and to acquire a digital certificate to enable SSL. For a list of some of these products, try the RSA Secured Solutions Directory at http://www.rsasecured.com/.

I thought we weren't going to get too technical. Digital certificate? What's that all about?

Well, think of the digital certificate as the key to starting the SSL engine. Maybe more like a driver's license. It's just an identification card that the server uses to prove that it is who it says it is.

Digital Certificates are issued by Certificate Authorities (CA). This is where it gets tricky, because anyone with the right software can be a certificate authority, just like anyone can make a piece of paper that says it's a driver's license. But just as only the state government can issue a license that a police officer will accept, there are certain trusted CA's that your web browser will accept (such as VeriSign, Inc.). Of course, you can tell your web browser to accept other CA's if you want to. In this case, you're the police officer that's accepting these certificates, so you should accept certificates from sources you trust.

Also note that, just like the SSL connection itself, a digital certificate does not vouch for the integrity of the company it is issued to. Be wary of who you send your credit card information to, regardless of if the connection is secure or not.

So you mean that SSL has to have these 'digital certificates' in order to function, and vice-versa?

Yes. Digital Certificates facilitate the public key exchange that is required to enable an SSL connection.

While your digital certificate can be issued by any Certificate Authority, most web browsers contain a list of trusted CAs, such as VeriSign or Thawte. As an example, if someone goes to your secured web site that has a certificate issued by "Slick Rick's Speedy Certificate Authority", they will be asked if they wish to accept that CA as valid. Not knowing who Slick Rick is, they may decline.

Digital Certificates are not only used in SSL...they are also used in other protocols such as S/MIME (Secure Multipurpose Internet Mail Extensions) to secure e-mail exchanges.

What's the difference between a 40-bit SSL connection and a 128-bit SSL connection?

Many banks require 128-bit encryption for online banking because 40-bit encryption is considered to be relatively weak. 128-bits is about 309 septillion times ( 309,485,000,000,000,000,000,000,000 ) larger than 40-bits.

Equated to the real world, sending information without encryption is like sending a postcard through the mail - the contents are visible to practically anyone who wants to see it. Using this analogy, 40-bit encryption is like sending the information in an plain white envelope. 56-bits could then be equated to using a security envelope that is printed to prevent it from being see-through.

Relative to these strengths, 128-bit encryption could be compared to encasing your data in a lead-lined, 12-inch thick titanium safe that is being transported by an armored tank with a convoy of a hundred armed guards. In other words, 128-bits is considerably more secure than 40.

Is it true that 128-bit encryption can't be exported overseas?

Prior to January 2000, software products that contained strong encryption strengths were considered a munition by the US Government and in most cases were not able to be shipped or downloaded by anyone overseas. Most web browsers were limited to 40 or 56-bit SSL encryption, which we all now know is pretty weak, right? Multiple versions of many software applications, including web browsers, were developed because of these export limitations.

In January of 2000 many of these limitations were lifted, and most companies can now ship full strength 128-bit versions of their products worldwide (except to countries that the US has trade policies against: Libya, Cuba, Iraq, etc.)

So how can I tell if my web browser has 128-bit encryption?

Most newer browsers now support a variety of SSL bit strengths. This ensures that the browsers are fully compatible with most all web servers and digital certificates, which were also shipped worldwide at lower encryption strengths.

If you have an older browser you downloaded without filling out an brief residency confirmation form, you likely have the 40 or 56-bit version. Check your browser's encryption preferences to see what strengths you have available. You can also try Fortify.net's SSL test page for a readout of what strengths your browser supports.

If SSL is so cool, why isn't it "engaged" on a web site all the time?

Because all information going back and fourth between the client and server is being put through an encryption process instead of being sent plain, the server and browser take longer to process this data. The speed difference may not be noticeable on a single page, but if all of a website's pages were encrypted, the server's performance could be significantly reduced.

Some web site administrators may set their servers to only require 40 or 56-bit operations, which may be fine for less sensitive information. Most financial institutions require 128-bit browser strength to ensure optimum security.